Disaster Management
What is RTO and RPO in Disaster Recovery Planning?
Ronald Bushnell
Ninety-three percent of small businesses without a disaster recovery plan who suffer a major data disaster are out of business within one year. Those are grave statistics, yet up to 75% of small businesses do not have a disaster recovery plan.
On the other hand, of larger companies (1000+ employees), 95% reported having a DR plan. This massive disparity may point to a lack of resources, as larger companies typically have more resources to invest in non-core services. However, another reason is that small businesses may not know the threat they face by not having a DR plan.
This article explores what a small business DR plan is, why you need it, and how to set up one.
According to Wikipedia, disaster recovery planning is a “set of policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.”
For a small business, this means putting in place measures to get back to business in the event of a disaster. DRP’s can be elaborate or simple.
At one end, you have large corporations who invest millions in their DRPs. On the small business end, a DRP can be as simple as storing all your documents in the cloud.
Regardless of position, every business must invest in a DRP to ensure restoration of operations after a disaster.
Should your small business invest in disaster recovery planning or business continuity planning?
Here’s the distinction.
As you can see, you need both a DRP and a BCP. You can read more about a small business BCP here.
Due to a lack of substantial resources, small businesses are often ill-equipped to deal with shocks. A small business DRP helps you perform a risk assessment and create a plan that offers the best chance for survival in the event of a disaster such as a ransomware attack.
Does a DRP apply for any small business? Yes.
If your business uses technology to store records or other data, you need a small business DRP. Even if you keep those records on your personal computer or smartphone, they may get lost, damaged, or stolen, leaving you without vital data to continue your business operations.
When planning your small business DRP, you should consider the following three broad categories of disasters:
Natural disasters include fires, floods, hurricanes, earthquakes, and pandemics. Since most natural disasters are highly dependent on your geographic location, plan around the most probable and prevalent natural disasters in your area.
Technological disasters include system and equipment failures and structural failures. For example, a critical machine (e.g., a local server or computer) breaking down or power outages are technological disasters. Planning for these types of hazards depends on the systems, equipment, and structures you rely on to conduct business.
Human-caused disasters include both mistakes (like accidentally erasing crucial company data) or malicious actions by bad actors like hacking, ransomware, and the use of other malware. Human-caused disasters are the hardest to plan for because they are also the most unpredictable.
Before setting up a small business DRP, it is essential first to consider five crucial factors. Use these factors to prioritize your DRP and invest in the right solutions.
Downtime cost is the financial cost incurred when your business operations are offline.
One study found this figure to be between $137 to $427 per minute for small businesses.
At the same time, another study pegged it at $9,000 per minute for large organizations (Fortune 1000 companies can lose up to a million dollars per hour of downtime).
How much your business loses depends on where you lie on the spectrum, plus factors like business model, industry, and company size.
Downtime cost is a useful metric when justifying the investment you make towards your DRP (e.g., if the price of a cloud backup solution is lesser than your downtime cost, then it is a good investment).
Data and system integrity refer to the ability of a backup solution to restore data and systems to the exact point they were when the disaster occurred.
Although restoring to the precise point may not be technically or financially feasible, understanding how this can affect your operations will help you prioritize data and systems integrity components in your DRP.
Again, your business model, type, and size will guide you in prioritizing these factors. For example, if your business logs transactions a few times a week, integrity might not be a high priority because your data does not change as often.
However, if your business logs transactions by the minute, you should make it a significant consideration.
Cost to Implement is the initial cost incurred to set up your DRP. For instance, you might consider purchasing a backup server for off-site data storage or bring in an IT consultant to train your staff on disaster recovery.
Cost to Maintain refers to the running costs involved in keeping your DRP in place, for example, a subscription to a cloud backup solution.
A sustainable DRP keeps both costs well below downtime costs. However, keep in mind that these two costs are linked to your business’s size, so as your business grows, they too will grow.
While it may seem beneficial to cover all bases with a highly detailed DRP, a complex DRP will defeat the purpose of its intent by making it difficult to execute and restore normal operations.
Simplicity is vital when formulating a DRP as it makes it easy to execute the plan. Moreover, even in the absence of the person charged with implementing it, anyone else in the company can easily follow the DRP and restore operations.
As you go over each step of your DRP, ask yourself whether they are simple enough to be executed quickly and effectively by anyone in your company.
If your company handles sensitive data, security should be a significant consideration in your DRP.
For instance, if you are a medical practice, any backup solution you pick must be HIPPA compliant.
Similarly, if you store payment data, you must ensure your third-party DR provider’s servers conform to the highest security standards available.
As with the other factors above, you must weigh the cost of a solution against the benefit it will provide. If all you store are invoices and office documents, security may not be a huge consideration.
As you formulate your DRP, you will quickly discover that there are very costly DRP solutions out there (including some DR-as-a-Service/DRaaS solutions) and others that require specialists to implement.
Every DRP has five core functions: prevention, protection, mitigation, response, and recovery.
Here’s what each function means for your small business DRP:
Prevention is the capability to avoid, deter, or stop a potential disaster. When developing a DRP, prevention involves assessing all possible threats.
In most cases, prevention may mean acknowledging the risk exists (e.g., cyber attacks, outages) and maintaining measures to counter the possibility that the threat will become a disaster.
Protection is the capacity to secure against potential disasters. In your DRP, protection can mean ensuring security measures are in place and maintained (e.g., passwords, remote access, CCTV camera technology)
Protection and prevention play a crucial role as pre-disaster measures and can significantly reduce a disaster’s impact.
Mitigation helps minimize the effects of an ongoing disaster and reduces downtime.
As the core component of a DRP, this mission should have the most comprehensive measures in place.
Some mitigative actions that may apply to small businesses include cloud backups (off-site backups to a data center) or access to a crisis line (e.g., contact information for a local cybersecurity firm).
Response is the ability to neutralize or stabilize an emergency after a disaster has occurred.
In the DRP, response is addressed through training, establishing an emergency response team, and ensuring everyone is aware of and has access to the DRP.
Recovery addresses the measures or capabilities required to restore critical functions and resume normal operations.
Post-disaster, the recovery process ensures recovery strategies are in place to roll out restorative measures (e.g., setting a recovery time objective (RTO) and a recovery point objective (RPO)).
Now that you understand the basics of setting up a small business DRP, where do you start?
Here’s how to create an effective small business DRP:
Start by performing an inventory of all your hardware and software assets in order of priority. List all the resources essential to your business operations, including various data like customer data, supplier data, and proprietary data. On the hardware front, list items like computers and other connected devices.
In your list, segregate all items into three tiers based on priority:
Your downtime and data loss tolerance represent how well your business can withstand the effects of a disaster.
For example, if you are a landscaper, you will likely weather data loss‘s effects better than an e-commerce business.
Factoring in your business type plus your most valuable assets, determine what would be the best-case scenario in the event of a disaster. That is, how quickly you need to resume operations for your business to survive.
Recovery objectives are benchmarks set to guide the resumption of operations within tolerance levels.
Your recovery objectives should have two essential metrics: recovery point objective (RPO) and recovery time objective (RTO).
RPO estimates the maximum limit for acceptable data loss that will not catastrophically impact your business.
RTO sets the operational downtime within which data and systems should achieve full recovery.
Set the RPO/RTO for each data and system asset across all three tiers.
For example, a Tier One asset like customer transaction data can have an RPO/RTO of one hour or less, while a Tier Two asset like a task management app can have an RPO/RTO of 4 hours.
Keep in mind that your recovery objectives may adjust depending on the recovery solution you select.
Identify internal people responsible for key roles, including declaring a disaster, logging incidents, notifying vendors, and informing customers.
Clearly defining key people will ensure the plan has ownership and make it clear from the onset who should act when disaster strikes.
After selection, identify backups for each key person in case they leave the company, are indisposed, or otherwise unreachable.
Also, identify critical external parties like a cybersecurity firm who may play a role in responding to a disaster.
A communication plan indicates how to notify employees of a disaster, tell them what to do next, and give them ongoing updates.
Assuming core communication tools like email and phone may be affected, identify contingency channels like personal phone numbers for initial communications.
Next, develop communications criteria to disseminate information to partners, vendors, customers, and other stakeholders.
Having a written procedure for this will ensure all parties remain on the same page throughout the incident.
The DR solution you pick should meet or exceed your disaster recovery objectives.
While there are in-house DR solutions that you can employ like RAID, hard drive, and optical recovery, the best disaster recovery solutions provide comprehensive coverage of all your mission-critical assets while offering ongoing support.
Consider working with a reputable IT services provider who can give you several options to pick from, including cloud backups and DR-as-a-Service.
How do you define a disaster?
If your area has occasional power or Internet outages, these should not trigger your DRP. In your plan, define a disaster using an all-inclusive checklist of what amounts to a disaster for your business.
Although this checklist will differ for each business, some items it might have are:
By this point, your DRP is almost complete and what is remaining is to turn it into documented procedures.
Documenting procedures transforms all the information you have into a formalized company document that dictates how to implement the DRP.
In the document, create guidelines for the following actions:
The finished document will serve as a codified document with all relevant information needed to quickly and efficiently restore business functions.
Have a testing plan to test your DRP thoroughly and routinely to ensure no components in your plan fail without your knowledge, which may worsen a disaster’s effects.
Depending on the level of testing you want, there are five DRP testing options you can use:
Parallel and cutover testing: Run your recovery systems parallel to your current systems (parallel testing) or switch off your primary systems and run on your recovery systems (cutover testing.)
As your company grows and evolves, your DRP will also need to change to keep up.
The best way to achieve this is to review your DRP whenever you test it. If you find new limitations or areas of your business not covered, you can quickly adapt or expand the plan accordingly.
In some cases, you may also find some aspects of your DRP have fallen into redundancy and no longer apply. Other parts that may need to change are key people (due to people leaving the company) and training procedures (due to people joining the company).
No DRP is complete without first being tested. Although the full extent of DRP testing is beyond this article’s scope, it is essential to test your plan before adopting it.
The five ways to test it are:
Parallel and cutover testing: For IT systems, you can either run your backup systems parallel to your current systems (parallel testing) or switch off your primary systems and run on your backup systems (cutover testing.)
Small business DR planning is an essential practice every small business should have. Although disaster planning may sound like something larger companies do, as a small company, you also have a lot to lose in case of disaster.
If you do not have a DRP in place, follow the simple steps laid out above to create a plan, even if just a single page plan from a DRP template. If disaster strikes, you will be glad you took the time to prepare.